Searched hist:"934885496 e6db0b7c4c8ca28a1aee6696dcc72a6" (Results 1 – 1 of 1) sorted by relevance
| /optee_os/core/tee/ |
| H A D | tee_svc.c | 934885496e6db0b7c4c8ca28a1aee6696dcc72a6 Wed Jan 30 13:43:35 UTC 2019 Jerome Forissier <jerome.forissier@linaro.org> core: scrub user-tainted memory returned by alloc_temp_sec_mem()
This is a security fix for TA-to-TA calls.
In syscall_open_ta_session() and syscall_invoke_ta_command(), caller TA
can reference some private memory, in which case the kernel makes a
temporary copy. Unfortunately, memory allocated through
alloc_temp_sec_mem() is not cleared when returned. One could leverage
this to copy arbitrary data into this secure memory pool or to snoop
former data from a previous call done by another TA (e.g., using
TEE_PARAM_TYPE_MEMREF_OUTPUT allows to map the data while not overwriting
it, hence accessing to what is already there).
This patch introduces mobj_free_wipe() to clear and free an mobj.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.5]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|